CWE-1236β€”Improper Neutralization of Formula Elements in a CSV File

PUBLISHEDweakness record
released 2020-02-24 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-1236
Abstraction:
Base
Structure:
Simple
Status:
Incomplete
Release Date:
2020-02-24
Latest Modification Date:
2025-12-11

Weakness Name

Improper Neutralization of Formula Elements in a CSV File

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Common Consequences

Scope:
Confidentiality
Impact:
Read Application Data, Execute Unauthorized Code or Commands
Notes:
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

Related Weaknesses